FIPS Compliance

[UsgsMonkey]

Greetings,

We have a number of applications that make use of Fluent Nhibernate for our ORM. Unfortunately, our IT dept (we're government) recently instituted a group policy enforcing FIPS on the relevant web servers. Our research so far indicates since both Fluent NHibernate and NHibernate are not compiled with FIPS that we will have to explore new ORM solutions. I was hoping someone here might be able to speak to the prospect of adding support for FIPS compliance (Federal Information Processing Standards) to the fluent-nhibernate repository.

[fredericDelaporte]

Fluent NHibernate and NHibernate are not compiled with FIPS

This assertion does not really make sense for me.

As far as I know, being FIPS compliant is a matter of using FIPS compliant hashing and ciphering implementations for any security related task. That is beyond the scope of NHibernate, which does not implement any such task.

Still, if your OS settings enforces things like Windows FIPS 140 compliance mode (which seems to be what you are doing), you may have troubles with current NHibernate implementation, which may use some non FIPS compliant implementations for non security related tasks (computing hascodes for hashtables by example). This is perfectly valid from a FIPS compliance standpoint since these are not security related tasks. But that Windows mode will still block them.

If that is your issue, then please pinpoint to us all "pain points" (eg, FIPS 140 exceptions occurring when using NHibernate on such a system) with detailed stack trace, for us to see if there is anything we can/should do.

NHibernate has used in the past some non FIPS compliant hashing algorithms for non security related tasks, but I do not think that is still the case. It could be still the case in some NHibernate-Cache providers, if you are using the second level cache. So rather than waiting for us to blindly search in the code (which we may never do), better open issues on features which are failing when used on FIPS 140 enabled Windows systems, with detailed stack trace.

If I am missing something else about FIPS compliance in the .Net eco-system, please provide us with precise reference about what else should be done to be FIPS compliant.

It should be noted that having such "Windows FIPS 140 mode" exceptions within NHibernate does not mean NHibernate is not FIPS compliant. It only means it does not support that Windows mode which goes far beyond FIPS compliance requirement, since it blocks usages without knowing if they are done for security tasks or not. (See here for more explanations.)

[UsgsMonkey]

Thanks so much for the prompt reply! We appreciate the context and feedback. We'll certainly do our best to gather more specific information and post it as an open issue.

[toihoc1997]

FluentNHibernate.Cfg.FluentConfigurationException HResult=0x80131500 Message=An invalid or incomplete configuration was used while creating a SessionFactory. Check PotentialReasons collection, and InnerException for more detail.

Source=FluentNHibernate StackTrace: at FluentNHibernate.Cfg.FluentConfiguration.BuildSessionFactory() at Markup.Global.<>c.b__6_0(IComponentContext _) in D:\Code\markup-app-test\src\Markup\Global.asax.cs:line 117 at Autofac.RegistrationExtensions.<>c__DisplayClass5_01.<Register>b__0(IComponentContext c, IEnumerable1 p) at Autofac.Builder.RegistrationBuilder.<>c__DisplayClass0_01.<ForDelegate>b__0(IComponentContext c, IEnumerable1 p) at Autofac.Core.Activators.Delegate.DelegateActivator.ActivateInstance(IComponentContext context, IEnumerable1 parameters) at Autofac.Core.Resolving.InstanceLookup.Activate(IEnumerable1 parameters, Object& decoratorTarget)

This exception was originally thrown at this call stack: [External Code]

Inner Exception 1: TargetInvocationException: Exception has been thrown by the target of an invocation.

Inner Exception 2: InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

[UsgsMonkey]

I'll throw my team member's stack trace into an open issue, per your guidance.
See nhibernate/fluent-nhibernate#524.